Accessibility links

Cyberattack On Ukrainian Power Grid Looks To Some Like An Apocalyptic First

  • Frud Bezhan

People shop in a store during a blackout in Crimea on November 26.

People shop in a store during a blackout in Crimea on November 26.

For years, experts have warned with mounting concern that critical infrastructure virtually anywhere in the world is vulnerable to cyberattack.

Malicious code sent remotely could shut down or otherwise wreak havoc at airports, hospitals, skyscrapers -- anywhere that relies on computers to steer traffic, deliver life-saving technology, or carry out any number of vital functions.

Now, cybersecurity specialists say that doomsday scenario has arrived.

They are pinning a blackout in a swath of war-torn Ukraine last month that darkened hundreds of thousands of homes on code that they say directly shut down at least three regional utilities.

ESET, a Bratislava-based security software firm, called the interruption the first power outage proven to have been caused by a cyberattack. ESET, which studied samples of the malicious code that infected at least three power authorities in neighboring Ukraine, said the malware caused the blackout.

U.S.-based computer security firms Trend Micro and iSight Partners have confirmed ESET's findings.

'Dangerous Scenario'

Robert Lipovsky, senior malware researcher at ESET, said the incident in Ukraine was "unprecedented" and called it a "dangerous scenario."

"The alarming aspect of this attack was that the infection vector that the malware was getting in was phishing" -- a reference to the practice of gathering sensitive information like passwords or other confidential data, often to cause harm -- "mail with a malicious attachment, which is quite a trivial way to get in," Lipovsk says. "It's alarming that it was so easy."

Ukraine power company Prykarpattyaoblenergo reported the power outage on December 23 that left about half of the homes in the Ivano-Frankivsk region, in western Ukraine, without electricity. Similar malware was also found in the networks of at least two other utilities in Ukraine. All three blackouts occurred around the same time.

Prykarpattyaoblenergo said part of the area it serves had been left without energy due to "interference" in the work of the system.

Lipovsky said multiple Ukrainian power authorities were infected by BlackEnergy, a malware toolkit discovered in 2007 that has been repeatedly updated to include new destructive functions, including the ability to render infected computers unbootable (so they cannot be started up).

He said the attackers used BlackEnergy to access utility networks and then planted a related component of malware, KillDisk, on targeted systems. KillDisk can delete or overwrite data files.

KillDisk destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems.


Until now, experts in cybersecurity and law enforcement say BlackEnergy has mainly been used to spy on news organizations, power companies, and other industrial groups. A Moscow-based group, Sandworm, is suspected of using it for targeted attacks.

Lipovsky says the latest BlackEnergy also includes a covertly planted tool -- referred to among experts as a "backdoored secure shell utility" -- that gives attackers permanent access to infected computers.

The Ukrainian Security Service (SBU) has blamed Russia for the outages, and the Energy Ministry in Kyiv has set up a commission to investigate the incidents.

Russia invaded Ukraine's Crimean Peninsula in 2014 before annexing it and has continued to supply troops, weapons, and other support for armed pro-Moscow separatists in the eastern Ukrainian regions of Luhansk and Donetsk, Kyiv and NATO allege. In the face of seemingly overwhelming evidence, Russian officials continue to deny they are involved.

Cybersecurity experts consider Russia one of the world's most advanced cyberpowers, along with the United States, China, Israel, France, and Britain.

Russia complains that it has itself become a target, saying Russian security services detected a sharp rise in cyberattacks after the Ukraine crisis worsened and ties with the West deteriorated.

But Lipovsky said it was difficult to point fingers at anybody because clues in the coding of the malware can easily be forged.

Fears Of More Attacks

"It's a dangerous precedent," said Edward Lucas, senior editor at The Economist weekly and senior vice president at the Center for European Policy Analysis, a think tank in Warsaw and Washington.

Lucas, whose latest book, Cyberphobia, heaps questions on popular notions of digital security, added that because attribution is difficult in cybersecurity, the Ukraine cyberattack could even be carried out by "someone using the tension between Russia and Ukraine to test some malware."

The Ukraine incident has raised fears that it could provide a precedent, prompting other countries to use similar tactics.

"If there is a determined attacker trained to get in and they have the sufficient resources and time and money to put the effort in, then they can" carry out similar cyberattacks, said Lipovsky.

He said there were only so many companies or governments capable of leading the fight against cyberattacks.

"People need to put a lot of effort into mitigating these risks so they aren't hacked into in the future," he said.

The cyberattacks came before Ukrainian police blamed saboteurs for blowing up an electricity pylon on December 31, thus shutting down the delivery route for electricity to at least one-quarter of Crimea's residents.

The sabotaging of four other pylons in late November cut off power and prompted a state of emergency, prompting mutual finger-pointing by both Russian and Ukrainian authorities.

  • 16x9 Image

    Frud Bezhan

    Frud Bezhan covers Afghanistan and the broader South Asia and Middle East region. Send story tips to